An anonymous HTTP request can run code on a WordPress site.
The bug is in core, so a bare install with zero plugins is
exploitable. Every 6.9 and 7.0 site was in range until Friday, when
WordPress shipped 6.9.5 and 7.0.2 and enabled what it calls forced
updates through its auto-update system. Adam Kues at Assetnote,
Searchlight Cyber's attack surface management arm, found the flaw
and reported
Read more https://thehackernews.com/2026/07/new-wp2shell-wordpress-core-flaw-lets.html

